What the Army’s Cloud Computing Strategy Really Means

Nearly three years after the Defense Department released its cloud computing strategy, the Army is setting the stage to speed adoption of cloud technologies within its ranks.

The Army’s cloud computing strategy, released last month, complements the DoD’s 2012 document but also embodies the Pentagon’s evolving views on the benefits of cloud and how best to procure services. In its strategy, the Army details the role cloud computing will play in the service’s larger network modernization agenda, what cloud deployment and security models the Army is considering and how it plans to mitigate risks.

“[DoD Chief Information Officer] Mr. Halverson has given much more latitude and guidance about how we can move to the commercial cloud,” said Gary Blohm, Director of Army Architecture Integration Center. “So we really felt when he gave additional guidance and authorities to the service components that the time was right for us to move out, and the first step was the strategy.”

The Army’s next step will be to publish a more detailed policy for executing commercial cloud adoption, and it will govern all Army systems and applications moving to commercial hosting environments.

Unlike the Pentagon’s 2012 document, the Army’s strategy explains how the service will provide cloud resources to soldiers operating in a disconnected, intermittent or low-bandwidth environment, said Gary Blohm, Director of Army Architecture Integration Center. Under the new strategy, the Army will:

Maintain the ability to create and process mission-critical data locally while disconnected.

Establish consistency semantics for reconciling data when full network connectivity is restored.

Another update in the Army’s strategy is the inclusion of the DoD Cloud Computing Security Requirements Guide (SRG), which is used to classify military data, based on its sensitivity. The SRG classifies publicly released data, secret information, and everything in between into four impact levels (2, 4, 5 and 6), but the Army maintains data classified above the secret level and therefore must comply with Intelligence Community requirements to secure that information, the strategy notes.

The Army will take advantage of the Federal Risk and Authorization Management Program (FedRAMP) for unclassified, publicly releasable information, Blohm said. “So if it’s purely publicly releasable, FedRAMP is good enough. For applications or systems that have data requirements beyond that unclassified, such as FOUO [For Official Use Only], then we leverage the DISA Cloud Security Requirements Guide to vet those providers.”

For now, the focus is migrating unclassified and FOUO data to the cloud, but the Army is keeping a close eye on the IC’s GovCloud model. The strategy notes that cloud infrastructure, people and processes will be central to enabling DoD’s Joint Information Environment initiative.

The Army’s Crawl-Walk-Run Approach

Although the Army has established several pilots to test use cases in the cloud, the goal is to move out of the crawl phase in fiscal 2016 by standing up a cloud contracting vehicle through the Army’s Program Executive Office for Enterprise Information Systems. The hope is that cloud procurements will pick up in fiscal 2017 and beyond.

“I think the biggest challenge is culturally,” Blohm said. “There are a lot a folks that are excited about moving to the cloud. There’s other people that may want keep their own systems in their own hands and maintain that control.”

But the U.S. Army Training and Doctrine Command (TRADOC) and the U.S. Army Corps of Engineers are among the early adopters making progress with cloud pilots. For TRADOC, “their integrated training environment that includes things like gaming and publications, and other training materials, we think is a great opportunity to put stuff on the cloud.”

In crafting the Army’s cloud strategy, Blohm and his team collaborated with the National Security Agency, Defense Information Systems Agency, DoD chief information officer, the author of the DoD Cloud Computing Strategy and Army Cyber Command, he said, noting that the Pentagon’s views on cloud computing have evolved since the 2012 strategy was released.

In December, DoD CIO Terry Halvorsen released a memo updating the department’s guidance for acquiring and using commercial cloud services. The memo permits DoD components to work directly with cloud providers to buy services and clarifies that each component is responsible for determining what data and missions should be hosted by commercial companies.

The upcoming policy will help shape commercial cloud buying in the Army and ensure the service uses its buying power, as opposed to organizations within the Army going directly to service providers (or what Blohm calls a Wild West environment).

“We’re in a crawl, walk, run kind a model,” Blohm said of the Army’s cloud adoption. “We think that this year is a crawl year for us.”